Brexit and the future of privacy: Crunching the data

As the world comes to terms with Brexit, it’s no surprise that there’s been wide speculation about the direction the UK will take after its divorce from the EU, and how this will determine who wins custody of Europe’s technology ecosystem.

The government has long promoted the idea that the UK should be a "global hub of technology excellence." But, with so much concern over the UK’s ability to attract talent and investment post-Brexit, has this become a pipe dream? Or is there an opportunity for the UK to exploit its detachment from the EU for competitive advantage as has been touted by others?

Wooing the giants: EU vs. US

The UK has traditionally been "business friendly" in its approach to regulation, particularly in the area of data privacy. It has frequently acted as a restraining influence, holding back the progression of increasingly onerous regulation emanating from the EU. So much so that US tech giants praised it for its “common sense” during the negotiations of the General Data Protection Regulations (GDPR), the comprehensive new privacy framework adopted by the EU in May this year.

Given the importance of data, especially personal information, to technology businesses active in the new information economy, it is tempting to think that the UK could reposition itself to be a regulation-light environment for information driven service providers looking to avoid the burden of EU regulation.

Whilst this is a possibility and there may be some flexibility around the margins, the smart money is that UK privacy regulation will essentially mirror EU regulation. It is not yet clear whether the UK will leave the single market or, more importantly, single digital market. Access to this market is predicated on having the same or equivalent laws to ensure the market functions properly and fairly. Having similar or equivalent privacy laws will be quid-pro-quo for retaining access to the single digital market. Even if the UK does not retain full access, the UK’s history of privacy laws predates the EU and is derived from the European Convention of Human Rights, which is entirely separate and independent of the EU.

It’s also worth considering the political effect of recasting the UK as some kind of privacy light safe haven for global technology businesses at a time when relationships with our European neighbours are fragile and the UK is seeking to maintain healthy trading relationships.

Export grade privacy

Perhaps more importantly than the EU’s internal rules and trading guidelines is its decision to export its data protection rules globally. Both GDPR and the proposed amendments to the ePrivacy legislation are intended to apply to all businesses that collect, store or process data about EU residents, regardless of where in the world they might be located.

Without doubt, this is particularly aimed at Silicon Valley companies but will apply equally to UK companies in a post-Brexit world. So, even in the unlikely event the UK opts for a regulation-light environment, UK companies will still need to consider how they adopt a strategy for complying with tougher EU rules when selling into the EU market. For web-based services looking to offer the same service and a coherent user experience in multiple countries, this likely means defaulting to the highest standard rather than the lowest. After all, the penalties for falling on the wrong side of the law could be severe, with GDPR introducing fines of up to €20 million, or 4 per cent of a group’s annual worldwide turnover (whichever is higher) for serious data breaches.

The UK’s history of robust privacy laws and the need to retain trading relations with European partners in a way that facilitates the free flow of information in the digital economy, are not the only influences directing the UK to remain aligned to the EU. Importantly, the path to stricter regulation is already mapped out with the implementation of GDPR in 2018 and a significant departure would mean a U-turn on established policy decisions.

#Privacy: trending globally

The last few years have seen an expansion across the world of data privacy laws modelled on the EU approach. Alongside the eleven countries or territories already recognised by the European Commission as providing adequate data protection, there have been several new entrants on the scene as South Korea, India, Hong Kong, Singapore, South Africa, Japan, Turkey and Brazil have either amended or introduced new comprehensive data protection laws that mirror the EU’s principles.

China’s conspicuous absence from this list may also be temporary, as the draft PRC Cyber security Law, which introduces wide-ranging provisions for cyber security, data anonymisation and data retention, had its second reading in July 2016. It would be hard to see the UK, as such a close ally and partner to the EU, bucking this trend.

Handing over the reins

With the UK’s co-reliance on the EU and its legislative principles so clearly established, what could become more of a concern is the effect of the UK's absence from the negotiating table. Looking ahead, the traditionally moderating influence of British lawmakers will likely be absent from the formation of the updated ePrivacy Directive and the application of future data protection legislation.

It is possible that, without the UK present, or with a UK delegation taking a back seat during discussions, negotiations for the new ePrivacy Directive may well result in a more prescriptive or onerous approach. Likewise, unless the UK regulator retains its seat on the EU privacy regulatory board, the development of guidance, approval of codes of practice and certification schemes will be conducted without its liberal influence and UK companies could therefore face a stricter application of an already restrictive legislative framework.

Looking at this on a more global level, with the EU leading the way in terms of privacy regulation we could see an ever increasing trend towards stricter regulation in countries that are looking to enhance existing rules or develop rules for the first time by mirroring EU law .The reality of the interdependent globalised information economy in which technology businesses operate is unlikely to provide the UK with an opportunity to “cut the red tape” and provide a privacy light regime.

Paradoxically, the opposite might well be true as the UK’s withdrawal from the EU may lead to a stricter approach to privacy that could cause a ripple effect throughout the rest of the world.

Kolvin Stone and Alex Sobolev specialise in Privacy and Technology at law firm Orrick